Looking toward 2013, a plethora of security predictions have flooded into the media. Often times, such predictions go conveniently hand-in-hand with an agenda to sell you products, software, or services to keep you 'safe' from those same security threats on the horizon.
Continued hacking, leaking, and spying are pretty safe guesses on my part, but here’s a roundup of some 2013 security threat predictions by the experts.
Sophos predicts the following “five trends will factor into the IT security landscape in 2013:”
- More of the same such as SQL injection hacks of web servers and databases.
- Since 2012 saw a surge of “ransomware malware which encrypts your data and holds it for ransom,” expect to see more “irreversible malware.”
- Cybercrooks will develop more toolkits like the Blackhole exploit kit that will have even more premium features.
- There might be better exploit mitigation, so vulnerability exploits may decrease as social engineering attacks sharply increase.
- As mobile devices and applications like social media, or NFC and GPS become more integrated, expect cybercrooks to find "increasingly creative" ways to compromise our security or privacy.
Hacktivism, cross-platform attacks, and malware aimed at critical infrastructure are a few of the security trend predictions by InformationWeek. In the mobile arena, attackers are expected to target QR codes and digital wallets. Gartner analysts said that 2013 will be “about expansion of cloud computing and the struggle by the enterprise to achieve appropriate security for it." Microsoft, however, didn’t mention the cloud in its predictions for 2013. Instead, Microsoft expects:
- Criminals will benefit from unintended consequences of espionage.
- Attackers will increasingly use apps, movies and music to install malware.
- Drive-by attacks and cross-site scripting attacks will be attacker favorites.
- Software updating gets easier and exploiting vulnerabilities gets harder.
- Rootkits will evolve in 2013.
Meanwhile, feeling confident enough to expect boasting at the end of 2013, Zscaler Research predicts that that the New Year will see Microsoft finally dancing with the devil and paying for vulnerability information. Also “nation states, desperate for top talent to stay ahead, will not confine themselves to only homegrown talent but become increasingly aggressive bidders on the open market. Unlike physical weapons whose R&D costs limit their production to governments willing to spend billions, 0day information thrives in the private market.”
Along those lines, cybersecurity comes in at number three on the list of “key national security threats,” according to the NationalJournal. “Defense Secretary Leon Panetta recently outlined new warfare terrain: the Internet. Cybersecurity concerns do not simply include hackers and criminals. Panetta said the greater danger is a cyberattack carried out by nation states or extremist groups that could be as destructive as the terrorist attack on Sept. 11, 2001, and ‘virtually paralyze the nation’.”
Conversely, Verizon downplayed cyberwar as being a threat to enterprises in 2013. Unlike some security vendors who make security threat predictions that correlate with selling their products, for the last eight years Verizon has investigated thousands of hacks and published its yearly Verizon Data Breach Investigations Report (DBIR). So despite the many security predictions, Verizon disputes that “cloud exploits, mobile device attacks and all-out cyberwar” are the threats that will emerge on the horizon. Instead, Wade Baker, principal author of the DBIR, told DarkReading that a 2013 data breach is likely to come from “low-and-slow attacks.” In fact, the “most likely threats involve authentication attacks and failures, continued espionage and hacktivism attacks, Web application exploits and social engineering.”
The Verizon RISK team said nine out of 10 intrusions start with "attacks and failures related to authentication" such as usernames and passwords being stolen, easy to guess, or the victims falling for social engineering tactics. Furthermore, Baker warned government and large organizations to expect web application exploits. Baker said, "Organizations that choose to take their chances and ignore secure application development and assessment practices in 2013 are asking for trouble."
The Verizon DBIR [PDF] stated:
In most cases for large organizations notification occurred when the thief made the disclosure known. Perhaps we should create new breach discovery classifications of “YouTube,” “Pastebin,” and “Twitter” for the 2013 DBIR? (Of course, we’re joking (sort of), but it is quite important to understand the role social networking plays in breach discovery, but also in how attacks are initiated using these tools. )
Even if it was meant to be a joke, the idea of keeping track of breaches disclosed via social media seems like a wise idea.
Happy New Year! May 2013 be your best year yet!